Systems and method for identifying and mitigating information security risks

ABSTRACT

Methods and systems for Sustained Testing and Awareness Refresh against Phishing threats (STAR*Phish™) are disclosed. In an embodiment, a method assigns schemes and unique identifiers to target e-mail addresses associated with a user accounts. The method delivers e-mail messages to the targeted e-mail addresses, the e-mail messages comprising an HTTP request and a unique identifier associated with each of the user accounts. The method then receives, at a Phishing Metric Tool (PMT), a response including the unique identifier. The PMT logs training requirements for the user accounts, tracks response metrics for the training requirements, and redirects the respective HTTP requests to a phishing training tool (PTT). The PTT sends a notification of the user account identities and the unique identifiers to the PMT and returns a status for the training requirements for the user accounts. Upon completion of the training, the PMT sends completion notifications for the user accounts.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.13/297,570 filed on Nov. 16, 2011, claims priority to U.S. ProvisionalApplication No. 61/414,142, filed on Nov. 16, 2010, and U.S. ProvisionalApplication No. 61/502,678, filed on Jun. 29, 2011. The entire contentsof these prior applications are incorporated by reference in theirentireties.

BACKGROUND OF THE DISCLOSURE

1. Field of the Disclosure

The field of the disclosure relates generally to information securitytraining, and, more particularly, to phishing awareness training.

2. Description of the Related Art

Social engineering attacks, such as phishing, constitute a common threatto organization's information technology (IT) enterprise systems anddata. Phishing attacks target individual users and seek to exploit themas the weakest link in the information security chain.

Conventional information security training consists of staticpresentations or test events that are exercised on a periodic basis(i.e., annually, quarterly, or monthly). However, given that attackmethodologies are constantly evolving, information security threatsquickly outpace the level of conventional training. This is especiallytrue in the social engineering attack context. Accordingly, what isneeded is more sophisticated information security training to betterprotect organizations and their data from these ever-evolving threats.

Traditional training techniques, such as annual data security training,are not targeted to susceptible users and fail to provide a consistentlevel of user awareness of security threats such as social engineeringattacks. Accordingly, what is needed are systems and methods forproviding a consistent level of user awareness and exploitation of a“teachable moment” operand conditioning in order to provide focusedtraining for susceptible users.

SUMMARY OF THE DISCLOSURE

The present disclosure is directed to exemplary methods, exemplaryapparatus and exemplary systems that provide phishing awareness trainingto targeted users.

Based on service-oriented design, exemplary embodiments of the presentdisclosure provide awareness on evolving threats as they are detected,rather than waiting for annual or quarterly training efforts.Additionally, exemplary embodiments disclosed herein provide tailoredexercises which can be geared towards specific staff, such as new hiresor contractors. Metrics from exercises can be tracked over time todetermine the effectiveness of training across various objectives andorganizational demographics as well.

Additionally, tailored exercises can be geared towards specific,targeted user accounts, such as, but not limited to, user accountsassociated with new hires, contractors, or users who have demonstrated apropensity for falling victim to social engineering attacks, eithersimulated or real, in the past.

Techniques for Sustained Testing and Awareness Refresh against Phishingthreats (STAR*Phish™) disclosed herein are distinguishable fromconventional techniques in several ways. One key premise of the systemsand methods disclosed herein is to focus on exploiting a “teachablemoment” to target training towards susceptible users, which is anemerging concept that the training systems described herein are builtaround. In accordance with an exemplary embodiment, users are trained inlive exercises coordinated with incident response personnel, and thoseusers who fall victim are immediately transferred to a trainingcomponent. According to an exemplary embodiment, STAR*Phish™ includestwo components: a Phishing Metrics Tool (PMT), and a Phishing TrainingTool (PTT).

While training provides an engaging environment to learn about variousattack methodologies used in phishing, it is also tailored to reinforcecorrect reporting procedures. In the course of training, users are shownthe correct and safe way to report phishing, which goes beyond what mostavailable training resources currently provide. While providinginformation on the threat, STAR*Phish™ also provides information onresponding to the threat within the environment the user operates in.

This response process is customized to client policies and procedures,rather than an ambiguous response approach that might not be relevantfor all users. STAR*Phish™ takes a unique approach from an architecturalstandpoint as well, by providing a dual-domain system. According to anembodiment, the PMT is hosted on an external, un-trusted domain whichlends credibility to the security threat for all responses. According tothis example embodiment, users are actually clicking on links and beingdirected to websites that are external to their organization'senvironment, rather than accessing a simulated capture site inside theirown, trusted environment. However, the PMT directs users to trainingwhich is located on a trusted internal site associated with theirorganization. In this way, the “bait” provides a high level of realism,but once the response is captured users are provided training on atrusted domain. This increases the likelihood that users will continuewith their training requirement, rather than assuming the training ispart of a phishing attack.

The PMT provides several unique capabilities. First, the phishingexercises allow phishing e-mails to be customized, including a widevariety of attacks such as attachments and full credential captures. Theresponses, and the “teachable moment”, can be caught at varying stagesdepending on the objectives of the exercise. For example, users can bedirected to training immediately after clicking a link, or can beallowed to enter credentials or run embedded code before beingtransferred to training. Additionally, the metrics being tracked by thePMT are extremely diverse and not currently provided in such depth byconventional training systems. The PMT tracks response types, showsresponse graphs based on IP and target email, illustrates geographicdistributions of responses, and even uses heuristics to determine socialnetwork maps and potential administrative hosts. The PMT also has anagent-based design that can be used to run distributed phishingexercises according to client requirements. Agents can be used todistribute phishing e-mails, track responses, and update a centralcollection agent that tracks the metrics.

Finally, STAR*Phish™ is modular, and can be tailored to meet specificclient needs. If requested, the PMT can be used to run stand-aloneexercises as part of penetration tests, or the PTT can be implemented toprovide a stand-alone training resource.

In an embodiment, a computer-implemented method for training disclosedherein provides distinguishing features not found in conventionaltraining systems. In accordance with an exemplary embodiment, there aretwo ways that users can take the training: voluntarily or as part of amandatory requirement. Voluntary training is promoted through socialmedia, including communities of practice and demonstrations. Inaccordance with an exemplary embodiment, users are provided with anADOBE™ Flash-based training simulation that provides a virtual e-mailclient interface, mimicking what they are likely to use in normaloperations. In an alternative exemplary embodiment, the trainingsimulation is ADOBE™ Flex-based. In yet another alternative exemplaryembodiment, the training simulation is implemented in the HTML5language.

If users have been directed to the training as a result of responding toa phishing e-mail, they are immediately trained on the e-mail that theywere targeted with, capitalizing on the threat to which they haveresponded. Additionally, the mandatory training component is tracked aspart of the live exercises, and users are sent notifications of theirtraining requirement. This notification system, incorporated into thePMT, prevents users from simply ignoring poor security practices.

The present disclosure is directed to exemplary systems, architectures,methods, and non-transitory computer readable storage media forimplementing STAR*Phish™.

Further features and advantages of the present disclosure, as well asthe structure and operation of various embodiments thereof, aredescribed in detail below with reference to the accompanying drawings.It is noted that the present disclosure is not limited to the specificembodiments described herein. Such embodiments are presented herein forillustrative purposes only. Additional embodiments will be apparent topersons skilled in the relevant art(s) based on the teachings containedherein.

BRIEF DESCRIPTION OF THE DRAWING FIGURES

The accompanying drawings, which are incorporated herein and form partof the specification, illustrate exemplary embodiments of the presentdisclosure and, together with the description, further serve to explainprinciples, aspects and features of the present disclosure. Theexemplary embodiments are best understood from the following detaileddescription when read in conjunction with the accompanying drawings. Itis emphasized that, according to common practice, the various featuresof the drawings are not to scale. On the contrary, the dimensions of thevarious features are arbitrarily expanded or reduced for clarity.Included in the drawings are the following figures:

FIG. 1 illustrates a modular view of an enterprise environment foridentifying and mitigating information security risks, in accordancewith an exemplary embodiment of the present disclosure;

FIG. 2A depicts a process diagram for identifying and mitigatinginformation security risks in an architecture without distributedphishing agents, in accordance with an exemplary embodiment of thepresent disclosure;

FIG. 2B depicts a process diagram for identifying and mitigatinginformation security risks in an architecture with distributed phishingagents, in accordance with an exemplary embodiment of the presentdisclosure;

FIG. 3 provides a Message Sequence Chart illustrating operational stepsby which information security risks are identified and mitigated, inaccordance with exemplary embodiments of the present disclosure;

FIG. 4 depicts a server-side administrative graphical user interface(GUI) for a phishing metric tool (PMT), according to an exemplaryembodiment of the present disclosure;

FIGS. 5-6 depict a GUI for an email client to display and receivenotification of susceptibility to a phishing attack, according to anexemplary embodiment of the present disclosure;

FIGS. 7-12 depict a GUI for displaying and completing a receivedphishing training exercise, according to an exemplary embodiment of thepresent disclosure;

FIG. 13 is a diagram of an exemplary computer system in whichembodiments of the present disclosure can be implemented.

The features and advantages of the present disclosure will become moreapparent from the detailed description set forth below when taken inconjunction with the drawings, in which like reference charactersidentify corresponding elements throughout. In the drawings, likereference numbers generally indicate identical, functionally similar,and/or structurally similar elements. Generally, the drawing in which anelement first appears is indicated by the leftmost digit(s) in thecorresponding reference number.

DETAILED DESCRIPTION

The present disclosure relates to systems and methods for providingsustained testing and awareness against social engineering threats toinformation security, such as phishing threats. In particular, thesystems and methods provide sustained user awareness training mechanismin a continuous, ongoing fashion and within a Web 2.0 trainingenvironment with live phishing exercises. In contrast to traditionalperiodic (e.g., annual) training, the systems and methods of the presentdisclosure provide a consistent level of user awareness and exploit“teachable moment” operand conditioning in order to provide focusedtraining for users susceptible to social engineering attacks. Based onits service-oriented design, an exemplary system is able to provideawareness on evolving threats as they are detected, instead of waitingfor an annual or quarterly training course. Additionally, tailoredexercises delivered by the system can be geared towards specific staff,such as new hires or contractors. Metrics from the exercises can betracked over time to determine effectiveness of training across variousobjectives and organizational demographics as well.

Embodiments of the systems and methods disclosed herein provide focusedphishing awareness training wherein “teachable moments” are exploited soas to provide focused training for users that have demonstratedsusceptibility to phishing. The systems and methods also adapt toevolving threats by including live exercises that are performedregularly with escalated complexity based on the level of user awarenessdemonstrated in previously-completed exercises. In embodiments, metricsfrom the exercises are tracked over time to determine the effectivenessof training across various objectives and organizational demographics.Embodiments also include customized training including components thatcan be implemented separately or in tandem to meet an organization'sspecific needs by merging testing and training components.

According to embodiments disclosed herein, live training exercises arecoordinated using the PMT to allow testers to develop and sendconvincing, realistic phishing e-mail messages, track responses inreal-time, and analyze and track metrics such as, but not limited to,response rates. As user responses are tracked by the PMT, teachablemoments are exploited to train users while actions and perceptions arestill fresh. In an embodiment, individual exercise components can be runwithout training to establish base metrics. Alternatively, exercisecomponents can be included as part of an organization's penetrationtesting, which analyzes the impact of successful phishing attacks.

The methods and systems disclosed herein offer a training simulationthat provides an engaging and informative environment that walks usersthrough identification of suspicious e-mail messages and reinforcesorganizational reporting procedures. Embodiments of the training requireuses to be fully engaged so that they are not merely clicking throughand acknowledging a pre-determined sequence of screens. The training canbe offered as a stand-alone component as well as a voluntary trainingresource. Through sustained use of the training, as opposed totraditional periodic training offered at set times, evolving threats areaddressed and users are provided with consistent training opportunitiesthat maintain user awareness at all times.

While the present disclosure is described herein with reference toillustrative embodiments for particular applications, it is to beunderstood that the invention is not limited thereto. Those skilled inthe art with access to the teachings provided herein will recognizeadditional modifications, applications, and embodiments within the scopethereof and additional fields in which the invention would be ofsignificant utility.

Unless specifically stated differently, in an embodiment, a user isinterchangeably used herein to identify a human user, a software agent,or a group of users and/or software agents. Besides a human user who maybe susceptible to information security breaches and phishing threats, asoftware application or agent sometimes can fall prey to informationsecurity attacks. Accordingly, unless specifically stated, the terms“user” and “user account” as used herein do not necessarily pertain to ahuman being.

FIG. 1 depicts an enterprise system 100, which allows a user account 132to connect to web server 128 via Hypertext Transfer Protocol (HTTP) andHypertext Transfer Protocol Secure (HTTPS) requests 110, in accordancewith an embodiment of the present disclosure. While this embodiment isdescribed chiefly in terms of a connection between a user account 132from a client machine and web server 128, it is applicable to otherservers such as e-mail server 122. Although web server 128 is depictedas an Apache web server, as will be appreciated by persons skilled inthe relevant art, web server 128 may be implemented as another HypertextTransfer Protocol (HTTP) web server. Similarly, while servlet 108 isdepicted in FIG. 1 as an Apache Tomcat servlet, those skilled in therelevant art will appreciate that servlet 108 is not limited to beingimplemented as a Tomcat servlet.

System 100 utilizes a unique combination of training tied to a phishingexercise (e.g., a simulated attack via email messages). Phishingexercises, such as the ADOBE™ Flex and Flash training application 112depicted in FIG. 1, utilize a unique identifier to track responses tospecific crafted emails. The identifier allows reliable metrics, suchas, but not limited to, geographic location, tracking, as well asassociation of user accounts 132 and their responses to specificexercises. In one embodiment, the identifier is a 16 digit number thatforms part of a uniform resource locator (URL) sent as an HTTP requestredirect. In another embodiment, the identifier may be a parameterpassed with email messages and HTTP redirect messages.

PTT 102/PMT 124 communications include the unique identifier in order toenable tracking of logins for user accounts 132 and training status. Anupdate process allows PTT 102 to retrieve specific exercise e-mails fromPMT 124 and include these in the training for targeted user accounts132.

System 100 has multiple components, each with a highly specializedfunction. The Phishing Training Tool (PTT) 102 is a data-driven traininginterface that is used to train susceptible users. In an embodiment, thePhishing Metrics Tool (PMT) 124 is a web-based content development andmanagement interface that is used to generate phishing e-mails, such asPost Office Protocol (POP) and Internet message access protocol (IMAP)e-mail messages 103, and track responses.

Deployment of system 100 for an organization entails customizing thecomponents depicted in FIG. 1 to meet organizational training directivesand aesthetics. Additionally, while no sensitive data is stored insystem 100, individual instances of PMT 124 and PTT 102 are created tosupport a given organization, allowing for segregation of responsestatistics.

In order to provide realistic phishing exercises, in certain embodimentssome aspect of the phishing exercise architecture for system 100 mayreside on an untrusted domain external to the internal network 114 ofthe organization. For example, PMT 124, its PMT database server 126, andits web server 128, may reside on an untrusted domain external tointernal network 114 and PTT database server 104 and e-mail server 122,which each reside on a trusted domain. As described below with referenceto FIG. 2B, the use of Distributed Phishing Agents (DPAs), which can beregistered on an untrusted domain for components of PMT 124, can lendadditional realism to the training exercise by making web server 128 andPMT database server 126 appear to be truly external to internal network114 and the user's trusted domain.

Although PTT and PMT database servers 104 and 126 are shown in theexemplary embodiment of FIG. 1 as MySQL servers, as will be appreciatedby persons skilled in the relevant art, database servers 104 and 126 mayalso host other relational database management systems (RDBMSs), suchas, but not limited to, Oracle™ database servers, servers hostingMICROSOFT™ SQL Server databases, and Sybase™ database servers.Similarly, while exemplary e-mail server 122 is shown as a MICROSOFT™Exchange server, those skilled in the relevant art will appreciate thatthe e-mail server 122 may also be implemented as other e-mail servers,such as, but not limited a Lotus Domino server, a Lotus Notes server,and a Novell GroupWise.

With continued reference to FIG. 1, the functionality of the componentsof system 100 are described below. The communications and relationshipsbetween the components of system 100 are described within the context ofa computer-implemented method for providing sustained testing andawareness refresh training against social engineering threats toinformation security. Although the computer implemented method isdescribed with reference to interactive computer-based training thatimproves an organization's awareness of phishing attacks, it isunderstood that the method can be applied to identifying and mitigatingthreats from other social engineering attacks. The steps of the computerimplemented method do not necessarily have to occur in the orderdescribed below. As noted below, some of the steps are optional.

The method begins when target e-mail addresses for user accounts 132 arerespectively assigned schemes and unique identifiers by PMT 124. In anembodiment, structured query language (SQL) statements 106 are sentbetween PMT database server 126 and web server 128 within PMT 124 toaccomplish the assignment of schemes and unique identifiers.

Next, e-mail messages are delivered to user accounts 132 with respectiveunique identifiers. As shown in the exemplary embodiment of FIG. 1, thismay be accomplished by sending Simple Mail Transfer Protocol (SMTP)requests 130 from web server 128 to e-mail server 122. The e-mailmessages are then downloaded by the user accounts 132. In an embodiment,this may be done via POP/IMAP e-mail messages 103 sent via e-mail server122.

Then, a vulnerable user logged into a user account 132 supplies aresponse to PMT 124 via an HTTP/HTTPS request 110 to web server 128. TheHTTP/HTTPS request 110 includes the unique identifier discussed above.At this point, PMT 124 updates a status for the responding user account132, logs a training requirement, and tracks response metrics for useraccount 132. As illustrated in FIG. 1, the status update, logging andmetrics tracking can be accomplished by sending SQL statements 106between PMT database server 126 and web server 128.

Next, the user associated with user account 132 is redirected to PTT 102in real-time immediately after capturing the response, thus exploiting a“teachable moment” while the user's susceptibility to the simulatedphishing attack is fresh in his mind. This re-direct can be accomplishedby sending an HTTP/HTTPS redirect request 110 from to user account 132from training application 112 within PTT 102. Although trainingapplication 112 is depicted in as an ADOBE™ Flex or Flash application,it is understood that training application 112 can be implemented inother development environments and languages, such as, but not limitedto, HTML5.

As an optional step, user account 132 may be directed to PTT 102 viaanother HTTP/HTTPS request 110 from the training application 112 after areminder notification has been sent. User account 132 may also be sentan HTTP/HTTPS response 110 from the training application 112 via webserver 128 for voluntary training. In another optional step, usercredentials for user account 132 are sent via a Lightweight DirectoryAccess Protocol (LDAP) request 118 from servlet 108 to account database116 within internal network 114. These user credentials can then bevalidated, providing confirmation of the identity of a user account 132respondent. Next, PTT 102 sends notification of respondent identity andidentifier to PMT 124 via an HTTP/HTTPS response 110.

During the execution of training application 112 by the user associatedwith user account 132, PMT 124 iteratively updates the training statusand returns training exercise e-mail contents as applicable. Accordingto one embodiment, this can be done by sending SQL statements 106between PMT database server 126 and web server 128.

As an optional step, PMT 124 may send a reminder notification inresponse to determining that a user associated with a user account 132does not complete the training within a designated time period. Thisnotification can be sent via POP/IMAP e-mail messages 103 from e-mailserver 122 to user account 132. In embodiments, the designated timeperiod is a tunable parameter that can be adjusted by a training orsystem administrator of internal network 114. For example, the timeperiod may be set to a predetermined number of hours, days, or weeks, asdeemed necessary by the administrator.

Upon determining that the training has been completed by the userassociated with user account 132, PTT 102 sends a completionnotification. This notification can be sent as an HTTP/HTTPS response110 between training application 112 and web server 128. In oneembodiment, this step may additionally include generation and display ofa completion certificate by training application 112. According toembodiments, the completion notification and/or certificate can be sentto user account 132 and an administrator for internal network 114.

Lastly, PMT 124 updates the status for user account 132 and sends acompletion e-mail message to user account 132. As shown in FIG. 1, thiscompletion e-mail message can be sent as an SMTP request 130 from webserver 128 via e-mail server 122.

FIGS. 2A and 2B depict exemplary architectures and process diagrams foridentifying and mitigating information security risks in an architecturewithout and with distributed phishing agents, respectively, inaccordance with embodiments of the present disclosure. FIGS. 2A and 2Bare described with continued reference to the embodiments illustrated inFIG. 1 However, FIGS. 2A and 2B are not limited to those embodiments.

As part of coordination tasks, an organization (i.e., “Client Y” in theexemplary embodiments of FIGS. 2A and 2B) in need of phishing awarenesstraining may supply information about a valid e-mail server 122, such aspublic mail server 202, that can be used to send e-mails to useraccounts 132 within client network 204.

In accordance with an embodiment, customized version of the baseinstance of PTT 102, such as the client Y PTT instance 219 depicted inFIG. 2A, is deployed in Xservices environment 217. This allows trustedcommunications by deploying valid Secure Sockets Layer (SSL)certificates, plus the reliability of a hosted environment likeXservices environment 217.

As shown in FIG. 2A, in architecture 200 without distributed phishingagents, an isolated instance of the base instance of PMT 124 is deployedas a client Y PMT instance 209 on Penetration Testing Environment 207.This allows simulated attacks without compromising internal securitypolicies. This isolated instance is shown in FIG. 2A as Client Y PMTinstance 209.

Client Y PMT instance 209 sends e-mail messages 203 to aclient-designated mail server, such as public mail server 202. Next, asusceptible user associated with a user account 132 within clientnetwork 204 clicks on a simulated phishing link/URL, triggering anHTTP/HTTPS request 205 to client Y PMT instance 209. According to anembodiment, client network 204 may be internal network 114 describedabove with reference to FIG. 1.

At this point, user account 132 is redirected to Client Y PTT instance219 via an HTTP/HTTPS redirect request 213. Next, client Y PTT instance219 and client Y PMT instant 209 coordinate training content and trackcompletion statistics. As illustrated in FIG. 2A and described withreference to FIG. 1 above, this coordination can be accomplished bysending HTTP/HTTPS requests and responses 215 between client Y PTTinstance 219 and client Y PMT instant 209.

FIG. 2B depicts an architecture 210 and process diagram for identifyingand mitigating information security risks in an architecture withdistributed phishing agents, in accordance with an embodiment of thepresent disclosure.

Within architecture 210, Distributed Phishing Agents (DPA) 201 areregistered domains with no traceable connection to the host organizationor internal network 114, and serve as proxies for capturing responses.According to an embodiment, DPAs 201 are registered domains that act asproxies that redirect users to appropriate resources, allowing theexercises to use a variety of links and avoid altered responses based onrecognition of target uniform resource locators (URLs).

As show in FIG. 2B, client Y PMT instance 209 sends e-mail messages 203to a client-designated mail server, such as public mail server 202.Next, a susceptible user associated with a user account 132 withinclient network 204 clicks on a simulated phishing link/URL, triggeringan HTTP/HTTPS request 223 to a DPA 201. According to an embodiment,client network 204 may be internal network 114 described above withreference to FIG. 1, but the DPAs 201 are external to client network204.

Next, the user associated with user account 132 is redirected to clientY PTT instance 219 via an HTTP/HTTPS redirect 213 sent from the DPA 201to client Y PTT instance 219. As shown in FIG. 2B, DPA 201 also updatesclient Y PMT instant 209 with response details 225 for user account 132.

At this point in the process, client Y PTT instance 219 and client Y PMTinstant 209 coordinate training content, track completion statistics. Asillustrated in FIG. 2B described above with reference to FIGS. 1 and 2Aabove, this coordination can be accomplished by sending HTTP/HTTPSrequests and responses 215 between client Y PTT instance 219 and clientY PMT instant 209.

FIG. 3 is a message sequence chart illustrating a method 300 ofsustained testing and awareness refresh against phishing threats inaccordance with other exemplary embodiments.

FIG. 3 is described with continued reference to the embodimentsillustrated in FIGS. 1, 2A and 2B. However, FIG. 3 is not limited tothose embodiments.

Method 300 handles cases where a phishing HTTP request is sent from abrowser session in response to a susceptible user clicking on asimulated phishing link. According to an embodiment, the browser sessionmay be an Internet browser web-based e-mail client launched by a userassociated with a user account 132 to read e-mail delivered by e-mailserver 122.

Method 300 begins at step 336 where a phishing HTTP/HTTPS request issent from browser 334 to PMT 124. As would understood by persons skilledin the relevant art, the method 300 can be applied to various Internetbrowsers, including, but not limited to, MICROSOFT™ Internet Explorer,Mozilla Firefox, GOOGLE™ Chrome, APPLE Safari, and OPERA™.

In step 338, a redirect message is sent from PMT 124 to browser 334 sothat in step 340, an application request can be sent from browser 334 toPTT 102. The request sent in step 340 can be for any embodiment oftraining application 112 described above with reference to FIG. 1.

In step 342, training application 112 is sent from PTT 102 to browser334. Although training application 112 is shown in FIG. 3 as an ADOBE™Flex application, as described above with reference to FIG. 1 and step340, in alternative embodiments, training application can be an ADOBE™Flash application or an application developed in otherenvironments/languages such as HTML5.

In steps 344-354, which are included in an optional login process withinmethod 300, login credentials for user account 132 are sent andverified.

In step 344, login credentials for user account 132 are sent frombrowser 334 to PTT 102, which in turn forwards the credentials toservlet 108 in step 346. While servlet 108 is depicted in FIG. 3 as anApache Tomcat servlet, those skilled in the relevant art will appreciatethat servlet 108 is not limited to being implemented as a Tomcatservlet.

In step 348, an LDAP request 118 is sent by servlet 108 so that thecredentials can be successfully verified in step 349. As described abovewith reference to FIG. 1, credential verification in this step mayinclude checking the credentials against an account database 116 withininternal network 114.

In step 350, an LDAP-verification status is sent to servlet 108 so thatthe user account 132 can be logged in and a user session can be createdin step 352.

In step 354, an indication of the verified login is sent from servlet108 to PTT 102.

In step 356, an advance page is sent from PTT 102 to browser 334. In anembodiment, this advance page indicates in the browser session that atraining exercise is required.

In step 358, a start exercise message is sent from PTT 102 to PMT 124.According to an embodiment, the start exercise message includes a uniqueidentifier uniquely identifying the user account 132 that needs tocomplete the exercise provided by training application 112.

In step 360, the user associated with user account 132 can reviewinformational slides regarding the exercise, which are displayed bybrowser 334.

In step 362, a request for the exercise is sent from browser 334 to PTT102. Although the exercise is shown as an ADOBE™ Flex-based exercise inFIG. 3, it is to be understood that the exercise can be ADOBE™Flash-based or developed using other languages such as, but not limitedto, HTML5.

In step 364, the exercise is sent from PTT 102 to browser 334 so thatthe user associated with user account 132 can run the exercise onbrowser 334 in step 366.

In step 368, upon completion of the exercise, a completion notificationis sent from browser 334 to PTT 102 and in response, PTT 102 sends anexercise completion message to PMT 124 in step 370.

In step 372, the user associated with user account 132 can optionallysend a request from browser 334 to PTT 102 so that PTT 102 can send anHTML completion certificate back to browser 334 in step 374.

FIGS. 4-12 depict example graphical user interfaces (GUIs) fordisplaying and information pertaining to sustained testing and awarenessrefresh against phishing threats. In an embodiment, a server sideadministrator application may include the exemplary interfaceillustrated in FIG. 4.

According to an embodiment, browser 334 may display the exemplaryinterface illustrated in FIGS. 5-12. FIGS. 4-12 are described withcontinued reference to the embodiments illustrated in FIGS. 1-3.However, FIGS. 5-12 are not limited to those embodiments. ThroughoutFIGS. 5-12, displays are shown with various hyperlinks, command regions,tabs, buttons, checkboxes, and data entry fields, which are used toinitiate action, invoke routines, enter data, view data, or invoke otherfunctionality, such as functionality of training application 112. Forbrevity, only the differences occurring within the figures, as comparedto previous or subsequent ones of the figures, are described below.

FIG. 4 illustrates an exemplary GUI for viewing and editing task schemeinformation within a server side administrative interface, in accordancewith an embodiment of the present disclosure. FIG. 4 illustrates atop-level administrative interface 400 for displaying and editingtraining settings associated with PMT 124. Administrative interface 400is a server side administrative interface used to customize taskschemes, such as the schemes described with reference to FIG. 1 above.

By clicking create classification link 476, an administrator forinternal network 114 can create a classification for a trainingexercise. By selecting template links 478, the administrator can createand edit schemes. FIG. 4 also includes management links 480, which allowthe administrator to create and edit training tasks in addition tocustomizing templates. Management links 480 also allow security reportsto be viewed and edited and enable viewing and modification of controltasks.

Along with disseminating the phishing e-mail messages, PMT 124 canaggregate and track metrics for both past and ongoing exercises throughuse of control tasks link 488 within management links 480. Reportinglinks 482 within administrative interface 400 allow viewing of e-maildemographics, task status, and training metrics reports.

As shown in FIG. 4, classifications menu 484 for PMT 124 allowsoperators and administrators to select multiple phishing attack vectorsfor an exercise. Some exemplary attack vectors are provided in theexemplary classifications menu 484. However, it is to be understood thatthe list of attack vectors shown in FIG. 4 is not exhaustive. Theseattack vectors can be further customized through addition of attachmentsin attachments window 486.

FIG. 5 illustrates an exemplary web-based e-mail interface 590, whichcan be used by a user associated with user account 132 to retrievePOP/IMAP e-mail messages 103 from e-mail server 122. As shown in FIG. 5,a sample phishing e-mail message 592 can be displayed by e-mailinterface 590 in the recipient's mailbox. The phishing e-mail message592 displayed within e-mail interface 590 may include instructions toclick on a seemingly innocuous phishing hyperlink 594.

Upon determining that a user has selected phishing hyperlink 594, thenotification screen depicted in FIG. 6 can be displayed within browser334. As shown in phishing URL 696 of FIG. 6, embedded in phishing e-mailmessage 592, user account 132 received a unique ID. Although the uniqueID is shown in exemplary FIG. 6 as a 16-digit number as part of phishingURL 696, in alternative embodiments, the unique ID may have a differentlength, form, or be passed as a separate parameter. When phishinghyperlink 596 is selected, the unique ID, the user account 132 receivesimmediate notification 698 of the training requirement. Notification 698takes advantage of the “teachable moment” by immediately informing theuser what was done incorrectly, why this is a threat, and what should bedone differently in the future. Additionally, informational message 699can be displayed to allow the user to contact the help desk, if he/sheis suspicious that the page shown in FIG. 6 is not authentic. This givesthe user a way to confirm that they need to take the training.

FIGS. 7-12 depict a simulated browser e-mail client interface 790 usedas part of a phishing training exercise. According to an embodiment,simulated browser e-mail client interface 790 may be provided bytraining application 112 via web server 128.

In the exemplary embodiment shown in FIG. 7, upon launching a browsersession within browser 334 and logging into a user account 132, awelcome message is displayed within dialog box 702 with instructions forthe training exercise. FIG. 8 illustrates that a user can select atraining e-mail message 804 displayed within simulated browser e-mailclient interface 790. As shown in FIG. 8, a cumulative score isdisplayed within interface 790 (in the exemplary display of FIG. 8, thecumulative score is 790 because the training exercise has just begun).

FIGS. 9-12 depict how (semi) randomly determined elements 904 ofsimulated phishing e-mail messages can be displayed within simulatedbrowser e-mail client interface 790. As shown in FIG. 9, for each of the(semi) randomly determined elements 904 of the e-mail message, the useris asked to click and categorize each as ‘Neutral’ or ‘Suspicious’ byselecting buttons in dialog box 906. As illustrated in FIG. 10, correctand incorrect choices are explained in dialog box 1008, which the usermust acknowledge before proceeding with the training exercise.

FIG. 11 depicts how incorrect and correct phrases 1112 can be indicatedwithin simulated browser e-mail client interface 790. In the exemplaryembodiment described in FIG. 11, incorrect phrases 1112 are highlightedin red and correct phrases 1112 are highlighted in green. As shown inFIG. 11, a number of remaining attempts and remaining phrases 1112 canalso be displayed in simulated browser e-mail client interface 790. Withcontinued reference to FIG. 11, a message 1110 informs the user whetherhe has selected enough correct phrases 1112. In an embodiment, if notenough correct phrases have been selected and if this is the firstattempt, the user may be told that he has not selected enough words andshould try again. Alternatively, if this is the second attempt, a secondmessage 1110 can be displayed, providing information that will helpidentify the phrases 1112 that should have been chosen. This message1110 can also show points for the phrases that are correct. As shown inFIG. 12, after determining whether the training was completedsuccessfully, either a congratulatory message 1214 or a furtherinformation message 1216 is displayed within simulated browser e-mailclient interface 790. In the exemplary embodiment of FIG. 12, thefurther information message 1216 can include information on how toidentify incorrect phrases. If enough correct phrases 1112 have beenselected, a congratulatory message 1214 is displayed. At this point, tofinish the e-mail exercise, the user can select the “Other Actions”button 1212.

Although exemplary embodiments have been described in terms of acomputer implemented method or apparatus, it is contemplated that it maybe implemented by microprocessors of a computer, such as the computersystem 1300 illustrated in FIG. 13. In various embodiments, one or moreof the functions of the various components may be implemented insoftware that controls a computing device, such as computer system 1300,which is described below with reference to FIG. 13. The processor(s) ofthe computer system are configured to execute the software recorded on anon-transitory computer-readable recording medium, such as a hard diskdrive, ROM, flash memory, optical memory, or any other type ofnon-volatile memory.

Aspects of the present disclosure shown in FIGS. 1-12, or any part(s) orfunction(s) thereof, may be implemented using hardware, softwaremodules, firmware, tangible computer readable media having instructionsstored thereon, or a combination thereof and may be implemented in oneor more computer systems or other processing systems.

FIG. 13 illustrates an example computer system 1300 in which embodimentsof the present disclosure, or portions thereof, may be implemented ascomputer-readable code. For example, system 100 and architectures 200and 210 of FIGS. 1, 2A and 2B, can be implemented in computer system1300 using hardware, software, firmware, non-transitory computerreadable media having instructions stored thereon, or a combinationthereof and may be implemented in one or more computer systems or otherprocessing systems. Hardware, software, or any combination of such mayembody any of the modules and components used to implement the systemand architectures of FIGS. 1, 2A and 2B. Similarly, hardware, software,or any combination of such may embody modules and components used toimplement the method of FIG. 3.

If programmable logic is used, such logic may execute on a commerciallyavailable processing platform or a special purpose device. One ofordinary skill in the art may appreciate that embodiments of thedisclosed subject matter can be practiced with various computer systemconfigurations, including multi-core multiprocessor systems,minicomputers, mainframe computers, computers linked or clustered withdistributed functions, as well as pervasive or miniature computers thatmay be embedded into virtually any device.

For instance, at least one processor device and a memory may be used toimplement the above described embodiments. A processor device may be asingle processor, a plurality of processors, or combinations thereof.Processor devices may have one or more processor “cores.”

Various embodiments of the present disclosure are described in terms ofthis example computer system 1300. After reading this description, itwill become apparent to a person skilled in the relevant art how toimplement the present disclosure using other computer systems and/orcomputer architectures. Although operations may be described as asequential process, some of the operations may in fact be performed inparallel, concurrently, and/or in a distributed environment, and withprogram code stored locally or remotely for access by single ormulti-processor machines. In addition, in some embodiments the order ofoperations may be rearranged without departing from the spirit of thedisclosed subject matter.

Processor device 1304 may be a special purpose or a general purposeprocessor device. As will be appreciated by persons skilled in therelevant art, processor device 1304 may also be a single processor in amulti-core/multiprocessor system, such system operating alone, or in acluster of computing devices operating in a cluster or server farm.Processor device 1304 is connected to a communication infrastructure1306, for example, a bus, message queue, network, or multi-coremessage-passing scheme.

Computer system 1300 also includes a main memory 1308, for example,random access memory (RAM), and may also include a secondary memory1310. Secondary memory 1310 may include, for example, a hard disk drive1312, removable storage drive 1314. Removable storage drive 1314 maycomprise a floppy disk drive, a magnetic tape drive, an optical diskdrive, a flash memory, or the like.

The removable storage drive 1314 reads from and/or writes to a removablestorage unit 1318 in a well known manner. Removable storage unit 1318may comprise a floppy disk, magnetic tape, optical disk, etc. which isread by and written to by removable storage drive 1314. As will beappreciated by persons skilled in the relevant art, removable storageunit 1318 includes a non-transitory computer usable storage mediumhaving stored therein computer software and/or data.

In alternative implementations, secondary memory 1310 may include othersimilar means for allowing computer programs or other instructions to beloaded into computer system 1300. Such means may include, for example, aremovable storage unit 1322 and an interface 1320. Examples of suchmeans may include a program cartridge and cartridge interface (such asthat found in video game devices), a removable memory chip (such as anEPROM, or PROM) and associated socket, and other removable storage units1322 and interfaces 1320 which allow software and data to be transferredfrom the removable storage unit 1322 to computer system 1300. Computersystem 1300 may also include a communications interface 1324.

Communications interface 1324 allows software and data to be transferredbetween computer system 1300 and external devices. Communicationsinterface 1324 may include a modem, a network interface (such as anEthernet card), a communications port, a PCMCIA slot and card, or thelike. Software and data transferred via communications interface 1324may be in the form of signals, which may be electronic, electromagnetic,optical, or other signals capable of being received by communicationsinterface 1324. These signals may be provided to communicationsinterface 1324 via a communications path 1326. Communications path 1326carries signals and may be implemented using wire or cable, fiberoptics, a phone line, a cellular phone link, an RF link or othercommunications channels. In this document, the terms “computer programmedium,” “non-transitory computer readable medium,” and “computer usablemedium” are used to generally refer to media such as removable storageunit 1318, removable storage unit 1322, and a hard disk installed inhard disk drive 1312. Signals carried over communications path 1326 canalso embody the logic described herein. Computer program medium andcomputer usable medium can also refer to memories, such as main memory1308 and secondary memory 1310, which can be memory semiconductors (e.g.DRAMs, etc.). These computer program products are means for providingsoftware to computer system 1300.

Computer programs (also called computer control logic) are stored inmain memory 1308 and/or secondary memory 1310. Computer programs mayalso be received via communications interface 1324. Such computerprograms, when executed, enable computer system 1300 to implement thepresent disclosure as discussed herein. In particular, the computerprograms, when executed, enable processor device 1304 to implement theprocesses of the present disclosure, such as the stages in the methodsillustrated by the message sequence chart 300 of FIG. 3, discussedabove. Accordingly, such computer programs represent controllers of thecomputer system 1300. Where the present disclosure is implemented usingsoftware, the software may be stored in a computer program product andloaded into computer system 1300 using removable storage drive 1314,interface 1320, and hard disk drive 1312, or communications interface1324.

Embodiments of the present disclosure also may be directed to computerprogram products comprising software stored on any computer useablemedium. Such software, when executed in one or more data processingdevice, causes a data processing device(s) to operate as describedherein. Embodiments of the present disclosure employ any computeruseable or readable medium. Examples of computer useable mediumsinclude, but are not limited to, primary storage devices (e.g., any typeof random access memory), secondary storage devices (e.g., hard drives,floppy disks, CD ROMS, ZIP disks, tapes, magnetic storage devices, andoptical storage devices, MEMS, nanotechnological storage device, etc.),and communication mediums (e.g., wired and wireless communicationsnetworks, local area networks, wide area networks, intranets, etc.).

It is to be appreciated that the Detailed Description section, and notthe Summary and Abstract sections, is intended to be used to interpretthe claims. The Summary and Abstract sections may set forth one or morebut not all exemplary embodiments of the present disclosure ascontemplated by the inventor(s), and thus, are not intended to limit thepresent disclosure and the appended claims in any way. Embodiments ofthe present disclosure have been described above with the aid offunctional building blocks illustrating the implementation of specifiedfunctions and relationships thereof. The boundaries of these functionalbuilding blocks have been arbitrarily defined herein for the convenienceof the description. Alternate boundaries can be defined so long as thespecified functions and relationships thereof are appropriatelyperformed.

The foregoing description of the specific embodiments will so fullyreveal the general nature of the present disclosure that others can, byapplying knowledge within the skill of the art, readily modify and/oradapt for various applications such specific embodiments, without undueexperimentation, without departing from the general concept of thepresent disclosure. Therefore, such adaptations and modifications areintended to be within the meaning and range of equivalents of thedisclosed embodiments, based on the teaching and guidance presentedherein. It is to be understood that the phraseology or terminologyherein is for the purpose of description and not of limitation, suchthat the terminology or phraseology of the present specification is tobe interpreted by the skilled artisan in light of the teachings andguidance.

The breadth and scope of the present disclosure should not be limited byany of the above-described exemplary embodiments, but should be definedonly in accordance with the following claims and their equivalents.

What is claimed is:
 1. A computer-implemented method for identifying andmitigating information security risks, the method comprising: assigningunique identifiers to a plurality of target e-mail addresses, whereineach e-mail address is associated with an individual user account,respectively; delivering an e-mail message to one or more of theplurality of target e-mail addresses, wherein the e-mail messagecomprises a hypertext transfer protocol (HTTP) request and a uniqueidentifier associated with a user account; receiving, at a PhishingMetric Tool (PMT), a response including the unique identifier; logging,by the PMT, a training requirement for the user account; tracking, bythe PMT, response metrics for the training requirement; redirecting theHTTP request to a phishing training tool (PTT); sending, by the PTT, anotification of a verified identity of the user account and the uniqueidentifier to the PMT; returning a status report for the trainingrequirement, the status report including an indication of whether theuser account has failed at least a portion of the training requirement;and redirecting, by the PMT, the user account to undergo an additionaltraining requirement related to the portion of the training requirementwhich was failed, upon receipt of the status report, when the statusreport indicates that the user account has failed at least the portionof the training requirement so that the user account is subjected to theadditional training requirement, wherein the PMT and the PTT arerespectively implemented by at least one processor of a computerprocessing device.
 2. The method of claim 1, wherein each target e-mailaddress is associated with a user account in an organization, and atraining exercise is associated with the training requirement for theuser account respectively associated with the target e-mail address. 3.The method of claim 2, further comprising: updating, by the PMT, thestatus of the training requirement, wherein the status is based at leastin part on the tracked response metrics.
 4. The method of claim 3,wherein the status indicates at least one of: a response to the e-mailmessage has not been received; the training exercise is underway; thetraining exercise has been completed unsuccessfully; the trainingexercise has been completed successfully; a certificate for asuccessfully completed training exercise has been generated; and anotification for a completed training exercise has been sent.
 5. Themethod of claim 4, wherein the notification is an e-mail message sent tothe target e-mail address.
 6. The method of claim 4, further comprising:sending a reminder notification to the target e-mail address in responseto determining that the user account has not completed informationsecurity training within a pre-determined period of time.
 7. The methodof claim 4, wherein the notification is an e-mail message sent to anadministrator e-mail address associated with a system administrator ofthe organization.
 8. The method of claim 7, further comprising: sendinga reminder notification to the administrator e-mail address in responseto determining that the user account has not completed informationsecurity training within a pre-determined period of time.
 9. The methodof claim 2, further comprising: receiving, at the PTT, credentials forthe user account; validating, by the PTT, the credentials for the useraccount; and verifying a login to the user account based upon thevalidated credentials; and sending a start exercise message for thetraining exercise based upon verifying the login.
 10. A non-transitorycomputer readable storage medium having program instructions storedthereon for identifying and mitigating information security risks, theinstructions being executable by a processor of a computing device, theinstructions comprising: instructions for receiving, at a phishingmetrics tool (PMT), a phishing hypertext transfer protocol (HTTP)request; instructions for sending a redirect message from the PMT to abrowser session; instructions for receiving, at a phishing training tool(PTT), a request for an application, wherein the request is based atleast in part on the received phishing HTTP request; instructions forsending, from the PTT to the browser session, the requested application;instructions for sending, from the PTT, a start message for a firsttraining requirement; instructions for sending, from the PTT, a trainingexercise associated with the first training requirement; instructionsfor returning a status report for the first training requirement, thestatus report including an indication of whether at least a portion ofthe first training requirement has been failed; and instructions forredirecting, by the PMT, the browser session to undergo an additionaltraining requirement related to portion of the first trainingrequirement which was failed, upon receipt of the status report, whenthe status report indicates that the at least the portion of the firsttraining requirement has been failed so that a user using the browsingsession is subjected to the additional training requirement.
 11. Thenon-transitory computer readable storage medium of claim 10, wherein theinstructions further comprise: instructions for determining whether thetraining exercise has been completed; and instructions for generating acompletion message in response to determining that the training exercisehas been completed.
 12. The non-transitory computer readable storagemedium of claim 11, wherein the instructions further comprise:instructions for sending the completion message from the PTT to the PMTin response to determining that the training exercise has beencompleted.
 13. The non-transitory computer readable storage medium ofclaim 10, wherein the training exercise is an ADOBE™ Flex application.14. The non-transitory computer readable storage medium of claim 10,wherein the training exercise is an ADOBE™ Flash application.
 15. Thenon-transitory computer readable storage medium of claim 10, wherein thetraining exercise is an HTML5 application.
 16. A system capable ofidentifying and mitigating information security risks, the systemcomprising: a phishing metric tool (PMT) configured to: receive aphishing hypertext transfer protocol (HTTP) request from a browsersession; and send a redirect message to the browser session, theredirect message redirecting the browser session to a phishing trainingtool (PTT); an e-mail server configured to: send an e-mail message to atarget user account, wherein the e-mail message is based on the phishingHTTP request, and wherein the e-mail message includes a uniqueidentifier; and receive a response from the target user account, whereinthe response includes the unique identifier; wherein the PTT isconfigured to: receive an application request based on the response;send the requested application to the browser session; send a startmessage for a training requirement for the target user account; send atraining exercise associated with the training requirement; send anotification to the PMT of an identity of the target user account andthe unique identifier; and update a status of the training exercise, thestatus of the training exercise including an indication of whether theuser account has failed at least a portion of the training requirement,wherein the PMT is configured to redirect the user account to undergo anadditional training requirement related to portion of the trainingrequirement which was failed, upon receipt of the status, when thestatus indicates that the user account has failed at least the portionof the training requirement so that the user account is subjected to theadditional training requirement, and wherein the PMT and the PTT arerespectively implemented by at least one processor of a computerprocessing device.
 17. The system of claim 16, wherein the PTT is in atrusted domain associated with an organization and wherein the targetuser account is associated with the organization.
 18. The system ofclaim 17, wherein the PMT is in an untrusted domain. external to theorganization comprising at least one web server and one or moredistributed phishing agents.
 19. The system of claim 16, wherein the PMTis further configured to send a reminder notification in response todetermining that the training exercise has not been completed within adesignated time period.
 20. The system of claim 16, wherein the PTT isfurther configured to send a completion notification in response todetermining that the training exercise has been completed.